We are always improving the quality and coverage of our data sanitization, and today we will demonstrate how MetaDefender data sanitization helps prevent a vulnerability exploit in OpenOffice/LibreOffice. We chose CVE-2017-3157 for this demo, as it is one of the most recent vulnerabilities affecting the ODT file type at the time of publication.

Deep Dive into CVE-2017-3157: Arbitrary File Disclosure Vulnerability

By exploiting the way OpenOffice and LibreOffice render embedded objects, an attacker can craft a document that allows them to read from a file on the user's file system. Information can be retrieved by the attacker by using hidden sections to store the information, tricking the user into saving the document, and convincing the user to send the document back to the attacker.

Users of OpenOffice 4.1.3 and older or LibreOffice before 5.1.6 are affected by this vulnerability.

Below is an ODT file crafted to exploit CVE-2017-3157. When extracting this file, which contains an ObjectReplacement\Object1 file, the content is something like this:

Click images to expand

We can see some information, such as "username: default, password: default."

Also, the content.xml file in the extracted file has a relative link to a specific file.

Click image to expand

In this scenario, the attacker knows the file's location on the victim's machine and sets the file path accordingly. This makes the attack tricky, but there are several real-world scenarios in which this is possible. For example, if you download a file, it usually goes to "C:\Users\<username>\download," so the attacker can set the relative path as "../../../Windows/..." to get system file content.

Now, they send a phishing email to the victim, prompting the victim to update the document and send it back to them.

Suppose that this is the credential.txt file content on the victim's machine:

After the user opens the ODT file, updates it, and sends it back to the attacker (as prompted in the phishing email), the attacker extracts the ODT file and checks Object1 again.

Click image to expand

The attacker can now see the content of the credential.txt file on the victim's machine.

Does CDR work for this CVE?

After sanitizing the file, we extract the sanitized file to see what changed.

First, we see (above) that ObjectReplacement was removed.

Click image to expand

Second, we see that the relative link in context.xml was removed as well.

So it is safe to open!

The video below demonstrates the entire process.

Conclusion

The first line of defense against malicious files is to always be careful whenever opening a file. Read, think, and if necessary confirm with the sender before clicking on anything such as popups or links, and before enabling advanced features like macros. This level of caution is always necessary.

We are always adding support for more file types to MetaDefender data sanitization (CDR). We will publish updates to our blog as we add support for more file types. If you have any questions about this technology, contact OPSWAT today.

This website stores cookies on your computer. These cookies are used to improve the usability of this website and provide more personalized experience for you, both on this website and through other websites. To find out more about the cookies we use, see our Cookie Notice Policy.